[stunnel-users] is verify level 4 working?

Thomas Eifert kxkvi at lavabit.com
Mon Jul 8 23:44:07 CEST 2013 

dansmith,

It's my understanding that verify = 4 should, theoretically, look only
for the server certificate, and this is the way I've been using it with 
great success over the past year or so.  Recently, however, I ran into 
an exception to that behavior.

In my case, I only had to download and install one certificate; that of 
the signing CA.  I simply pasted it directly below the server 
certificate in the associated .pem file.  The CA certificate wasn't 
originally in .pem format, so I converted it beforehand.  OpenSSL has 
conversion capability, and there are also online certificate tools 
available.  Your mileage may vary.

Good luck.

Thomas


On 7/8/2013 3:01 PM, dansmith wrote:

 > Could you kindly break it down for me. Are you saying that I need to
 > have two CAs A & B. A signs the certificate of B and B signs the
 > certificate of my server?
 > Do I understand correctly that verify=4 is supposed to simply ignore any
 > CAs and only look at the actual certificate, comparing it to the
 > certificate in CAfile ?
 >
 >
 > On 07/08/2013 06:32 PM, Thomas Eifert wrote:
 >> You're not missing anything.  I've experienced a similar issue.  While
 >> verify = 4 generally works well in most cases and will ignore the CA
 >> chain, I've encountered a few isolated incidences in which I've had to
 >> append or "chain" the server certificate with the certificate of the
 >> CA. Give it a shot and see if it resolves your issue.
 >>
 >> Thomas
 >>
 >> On 7/8/2013 3:02 AM, dansmith wrote:
 >>> I would expect that level 4 only compares locally installed
 >>> certificates, however I get the same behaviour as with level 3, stunnel
 >>> expects a CA cert.
 >>> Here'e the relevant log when on level 4
 >>>
 >>> Jul  6 23:46:31 mmm stunnel: LOG7[7870:140491349628672]: Starting
 >>> certificate verification: depth=0,
 >>> /C=qq/ST=qq/O=qqq/OU=rer/CN=redf/emailAddress=rfd
 >>> Jul  6 23:46:31 mmm stunnel: LOG4[7870:140491349628672]: CERT:
 >>> Verification error: unable to get local issuer certificate
 >>> Jul  6 23:46:31 mmm stunnel: LOG4[7870:140491349628672]: Certificate
 >>> check failed: depth=0, 
/C=qq/ST=qq/O=qqq/OU=rer/CN=redf/emailAddress=rfd
 >>> Jul  6 23:46:31 mmm stunnel: LOG7[7872:140080853112576]: SSL alert
 >>> (read): fatal: unknown CA
 >>>
 >>> What am I missing in understanding verify's level 4 ?
 >>>
 >>>
 >>>
 >>>
 >>> _______________________________________________
 >>> stunnel-users mailing list
 >>> stunnel-users at stunnel.org
 >>> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
 >>>
 >>
 >
 >

-- 
Attention: This message and all attachments are private and may contain 
information that is confidential and privileged. If you received this 
message in error, please notify the sender by reply email and delete the 
message immediately.

-- 
Attention: This message and all attachments are private and may contain 
information that is confidential and privileged. If you received this 
message in error, please notify the sender by reply email and delete the 
message immediately.

More information about the stunnel-users mailing list